The F5 BIG-IP appliance must be configured to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266078 | F5BI-DM-300039 | SV-266078r1024610_rule | CCI-001749 | medium |
| Description | ||||
| Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and has been provided by a trusted vendor. Accordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The device must not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved certificate authority (CA). | ||||
| STIG | Date | |||
| F5 BIG-IP TMOS NDM Security Technical Implementation Guide | 2025-06-12 | |||
Details
Check Text (C-266078r1024610_chk)
From the BIG-IP console, type the following command:
tmsh list /sys db liveinstall.checksig value
Note: This must return a value of "enable".
If the db variable is not set to "enable", this is a finding.
Fix Text (F-69904r1023484_fix)
From the BIG-IP console, type the following commands:
tmsh modify /sys db liveinstall.checksig value "enable"
tmsh save sys config